On 09/19/2017 03:55 PM, Daniel Stenberg wrote:
>> According to standards, nul bytes are allowed and significant
>> characters in form field names. This practice is however discouraged
>> since it may lead to header parsing errors or be understood by
>> servers as an attack attempt. In addition, header syntaxes containing
>> nul bytes are now deprecated [1].
>
> I don't see any good reason to support that edge case.
Thanks for your reply Daniel,
I'll remove this support and update the documentation.
Please note this will affect the form API compatibility.
Do we keep the length parameter for names or suppress it and require
names are always nul-terminated ?
If we keep it, I'll check in curl_mime_name() for invalid names.
> I don't think I've ever encountered such a use case in the real world
> and I've never seen a curl/libcurl user who wanted it or used it.
>
The only place I've ever seen it is in the pre Apr 2011 formdata.c
_FORM_DEBUG enabled code :-)

Patrick
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-09-19